Splunk

Question 1

Machine data makes up for more than ___% of the data accumulated by organizations.

Answer 1

90%

Question 2

Machine data is always structured.

Answer 2

False

Question 3

Machine data is only generated by web servers.

Answer 3

False

Question 4

What are the three main processing components of Splunk?

Answer 4

Forwarders, Search Heads, & Indexers

Question 5

Search strings are sent from the _________.

Answer 5

Search Heads

Question 6

In most Splunk deployments, ________ serve as the primary way data is supplied for indexing.

Answer 6

Forwarders

Question 7

Which function is not a part of a single instance deployment?

Answer 7

Clustering

Question 8

A single-instance deployment of Splunk Enterprise handles:

Answer 8

Indexing Search, Parsing, & Input

Question 9

What are the three main default roles in Splunk Enterprise?

Answer 9

Admin, User, & Power

Question 10

Which apps ship with Splunk Enterprise?

Answer 10

Home App & Search & Reporting

Question 11

This role will only see their own knowledge objects and those that have been shared with them.

Answer 11

User

Question 12

_________ define what users can do in Splunk.

Answer 12

Roles

Question 13

The password for a newly installed Splunk instance is:

Answer 13

Created when you install Splunk Enterprise

Question 14

Files indexed using the upload input option get indexed _____.

Answer 14

Once

Question 15

Splunk uses ________ to categorize the type of data being indexed.

Answer 15

Sourcetype

Question 16

The monitor input option will allow you to continuously monitor files.

Answer 16

True

Question 17

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 17

Source Type

Question 18

In most production environments, _______ will be used as the source of data input.

Answer 18

Forwarders

Question 19

Events are always returned in chronological order.

Answer 19

False

Question 20

Which following search mode toggles behavior based on the type of search being run?

Answer 20

Smart

Question 21

What is the order of evaluation for Boolean operations in Splunk?

Answer 21

NOT, OR, & AND

Question 22

When zooming in on the event timeline, a new search is run.

Answer 22

False

Question 23

Shared search jobs remain active for _______ by default.

Answer 23

7 days

Question 24

Field names are ________.

Answer 24

Case sensitive

Question 25

What attributes describe the circled field below?

Answer 25

It contains 4 values and a string value

Question 26

Field values are case sensitive

Answer 26

False

Question 27

Which is not a comparison operator in Splunk?

Answer 27

?=

Question 28

Wildcards cannot be used with field searches.

Answer 28

False

Question 29

What is the most efficient way to filter events in Splunk?

Answer 29

By time

Question 30

Time to search can only be set by the time range picker.

Answer 30

False

Question 31

As a general practice, exclusion is better than inclusion in a Splunk search.

Answer 31

False

Question 32

Having separate indexes allows:

Answer 32

Faster searches, ability to limit access and multiple retention policies.

Question 33

This symbol is used in the “Advanced” section of the time range picker to round down to nearest unit of specified time.

Answer 33

@

Question 34

What command would you use to remove the status field from the returned events?
Search string:
sourcetype=a* status=404 | _______ status (Last 24 hours)

Answer 34

Field

Question 35

Excluding fields using the Fields Command will benefit performance.

Answer 35

False

Question 36

What is missing from this search?
Search:
sourcetype=a* | rename IP as “User IP” | table User IP

Answer 36

A question mark around User IP.

Question 37

Finish the rename command to change the name of the status field to HTTP Status.

Answer 37

Search:
sourcetype=a* status=404 | rename _________

status as “HTPP Status”

Question 38

Would the IP column be removed in the results of this search? Why or why not?

Answer 38

No, because the name was changed

Question 39

Which one of these is not a stats function?

Answer 39

Addtotals

Question 40

How many results are shown by default when using a Top or Rare Command?

Answer 40

10

Question 41

Which stats function would you use to find the average value of a field?

Answer 41

Avg

Question 42

Which clause would you use to rename the count field?
Search:
sourcetype=vendor* | stats count __ “Units Sold”

Answer 42

As

Question 43

To display the most common values in a specific field, what command would you use?

Answer 43

Top

Question 44

A time range picker can be included in a report.

Answer 44

True

Question 45

The User role cannot create reports.

Answer 45

False

Question 46

Charts can be based on numbers, time, or location.

Answer 46

True

Question 47

These roles can create reports:

Answer 47

User, Power, & Admin

Question 48

_____________ are reports gathered together into a single pane of glass.

Answer 48

Dashboards

Question 49

Pivots cannot be saved as reports panels.

Answer 49

False

Question 50

Which role(s) can create data models?

Answer 50

Admin & Power

Question 51

These are knowledge objects that provide the data structure for pivot.

Answer 51

Data models

Question 52

Pivots can be saved as dashboards panels.

Answer 52

True

Question 53

Data models are made up of ___________.

Answer 53

Datasets

Question 54

A lookup is categorized as a dataset.

Answer 54

True

Question 55

Finish this search command so that it displays data from the http_status.csv Lookup file.

Answer 55

Inputlookup
Search:
___ http __status.csv

Question 56

To keep from overwriting existing fields with your Lookup you can use the ____________ clause.

Answer 56

Outputnew

Question 57

When using a .csv file for Lookups, the first row in the file represents this.

Answer 57

Field names

Question 58

External data used by a Lookup can come from sources like:

Answer 58

Geospatial data, scripts, & csv files

Question 59

Alerts can run uploaded scripts.

Answer 59

True

Question 60

Once an alert is created, you can no longer edit its defining search.

Answer 60

False

Question 61

Alerts can send an email.

Answer 61

True

Question 62

Alerts can be shared to all apps.

Answer 62

True

Question 63

Real-time alerts will run the search continuously in the background

Answer 63

True

Question 64

Which of these is not a main component of Splunk?

Answer 64

Compress & archive

Question 65

Which function is not a part of a single instance deployment?

Answer 65

Clustering

Question 66

Which apps ship with Splunk Enterprise?

Answer 66

Search & reporting & home app

Question 67

You can launch and manage apps from the home app.

Answer 67

True

Question 68

This role will only see their own knowledge objects and those that have been shared with them.

Answer 68

User

Question 69

Splunk uses ________ to categorize the type of data being indexed.

Answer 69

Source types

Question 70

Splunk knows where to break the event, where the time stamp is located and how to automatically create field value pairs using these.

Answer 70

Source types

Question 71

Files indexed using the upload input option get indexed _____.

Answer 71

Once

Question 72

The time stamp you see in the events is based on the time zone in your user account.

Answer 72

True

Question 73

How is the asterisk used in Splunk search?

Answer 73

A wildcard

Question 74

Have values in at least 20% of the events.

Answer 74

Interesting fields

Question 75

Which command removes results with duplicate field values?

Answer 75

Dedup

Question 76

How would you show the top five vendors without showing the percentage field?

Answer 76

… | top Vendor limit=5 showperc=f